X-Original-To: alpine-user@lists.alpinelinux.org Delivered-To: alpine-user@mail.alpinelinux.org Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 0879FDC1A55 for ; Mon, 6 Apr 2015 07:34:43 +0000 (UTC) Received: from [192.168.1.25] (unknown [78.229.93.5]) by smtp6-g21.free.fr (Postfix) with ESMTP id 02CF882311 for ; Mon, 6 Apr 2015 09:33:01 +0200 (CEST) Message-ID: <552236D0.8030309@hellea.eu> Date: Mon, 06 Apr 2015 09:33:36 +0200 From: Jean-Charles de Longueville User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.5.0 X-Mailinglist: alpine-user Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 To: "alpine-user@lists.alpinelinux.org" Subject: Re: [alpine-user] NFS mount in LXC References: <551FC39E.9030103@hellea.eu> <20150405121408.1b161feb@ncopa-laptop> In-Reply-To: <20150405121408.1b161feb@ncopa-laptop> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit On 05/04/15 12:14, Natanael Copa wrote: > On Sat, 04 Apr 2015 12:57:34 +0200 > Jean-Charles de Longueville wrote: > >> Hi, >> >> I can mount a NFS share from an AL box. >> But I cannot from an AL LXC on same box (same share) :( >> Everything is running latest stable version. >> >> nfstest:~# mount -t nfs -o ro nfsserver:/srv/boot/alpine /mnt >> mount.nfs: Operation not permitted >> mount: permission denied (are you root?) > > dmesg should tell you that grsecurity tries to prevent you to do this. > > grsecurity does not permit the syscall mount from within a chroot since > that is a way to break out of a chroot. This affects lxc containers too. > > I would recommend that you do the mouting from the lxc host in the > container config with lxc.mount.entry or similar. > > https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR this is not working with lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0 backend:~# lxc-start -n nfstest lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount 'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt' lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for 'nfstest' lxc-start: start.c: do_start: 688 failed to setup the container lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2 lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest' > If you still want disable mount protection in grsecurity then you > can do that with: > echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount this is not working either >> nfstest:~# tail /var/log/messages >> Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting >> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC >> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read >> /var/lib/nfs/state: Address in use >> Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state >> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM >> state number: Operation not permitted >> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. >> chown /var/lib/nfs to choose different user >> >> This log is when starting rpc.statd not when trying to mount the share. >> >> nfstest:~# ls -l /var/lib/nfs >> total 12 >> -rw-r--r-- 1 root root 0 Nov 10 15:43 etab >> -rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab >> drwx------ 2 nobody root 4096 Apr 4 10:05 sm >> drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak >> -rw-r--r-- 1 root root 4 Apr 4 10:05 state >> -rw-r--r-- 1 root root 0 Nov 10 15:43 xtab >> >> any clue? > -- Cordialement, Jean-Charles de Longueville --- Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org Help: alpine-user+help@lists.alpinelinux.org ---